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Preface 


Welcome to Qualys Cloud Platform! In this guide, we will show you how to install and use the 
Qualys IaC Security extension to see your Infrastructure as Code (IaC) scan data in Azure 
DevOps. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical security 
intelligence on demand and automating the full spectrum of auditing, compliance, and 
protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed service 
providers and consulting organizations, including Accenture, BT, Cognizant Technology 
Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, Optiv, 
SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding 
member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 
Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your questions 


are answered in the fastest time possible. We support you 7 days a week, 24 hours a day. Access 
support information at www.qualys.com/support/ 


About laC Security Extension Documentation 


This document provides information about using the Qualys IaC Security extension for Azure 
DevOps. 


For supported templates, other integrations, and features of CloudView IaC Security, refer to 
CloudView User Guide and CloudView API User Guide. 
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Introduction 


The Qualys IaC Security extension empowers DevOps teams to build Infrastructure as Code (IaC) 
scans into their existing CI/CD processes. By integrating scans in this manner, cloud 
misconfigurations are detected and remediated earlier in the SDLC to catch and eliminate 
security flaws. 


Pre-requisites 


Ensure that you have the required subscription and permissions as stated below. 


e The current version of the Qualys IaC Security extension supports only “Azure DevOps 
Services”. You can use self-hosted agents or out-of-box agents by Microsoft. 


e You must have valid account credentials for Qualys CloudView (Cloud Security Assessment) 
app. The user must have API access enabled and a role assigned with all the necessary 
permissions. 


e Ensure that the Azure DevOps user account for configuring Qualys IaC Security extension is 
part of the Project Collection Administrators group. To view the Project Collection 
Administrators group, go to Organization Settings > Permissions > Project Collection 
Administrators. 


Install the Extension from Azure DevOps Marketplace 


You can install the Qualys IaC Security extension for Azure DevOps from Azure DevOps 
Marketplace. 


Install the extension 


1. To install the extension from the Azure DevOps marketplace, log in to your Azure DevOps 
instance. 

2. Click the fl icon on the upper-right side of the page and click Browse marketplace. A new 
browser opens to show you the extensions for Azure DevOps. 


Enter Qualys in the search bar to search for all the Qualys extensions. 
Click the Qualys IaC Security extension in the extensions list. 


Click Get it free. You will be navigated to the Visual Studio Marketplace screen. 


or EN DE w 


Select the organization and click Install to install the extension in your Azure DevOps 
instance. 


You can see the extension version in the Installed tab when you navigate to Organization 
Settings > Extension. 


| accu-t1o 7 setings / Bas tale [Pam |= ao 


Installed extensions © Qualys laC Security Uninstall Marketplace 
Qualys laC Security 
Qualys Extension details 
an the Infrastructure-as-Code 
Publisher ast updated 
Qualys Apr 1, 2022 at 11:34 AM GMT+5:30 
History 
Use Dat 
GY Azure DevOps Service 3h ago Updated version to 1.1.0 
eo 3h ago Installed 
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The installation is now complete. 


Note: If you have already installed version 1.0.0, the extension will be automatically updated to 
the version 1.1.0. 


Configure the Extension 


The Qualys IaC Security extension can be added as a task in your Build pipeline. 


Configure the Extension for Build Pipelines Projects 
You can use the Qualys IaC Security extension as a pre-deployment task in your project pipeline. 
After installing, you can see the Qualys IaC Security extension as a task in your pipeline. 


In the Tasks tab, click + icon under your agent job, and search for Scan IaC templates using 
Qualys CloudView. Click Add to add the extension as a task in the build pipeline. 


(Co aves Triggers Options History E Save & queue 


Pipeline 
Build pipeline Add tasks © Refresh ai 


z= Get sources 
» ADCLI-DEMO 


© Scan laC templates using Qualys CloudView 
Agent job 1 : Detect Misconfigurations in laC Templates using Qualys Cloud Vie 


Marketplace v 


Click the task under the agent job to configure the extension. 


@Tasks Variables Triggers Options History 


Pipeline = zs 4 pe 
anis Scan laC templates using Qualys CloudView © ® Link settings Ñ Remove 
ee GES Task version 1x {v 
sd ADCLI.DEMO mar 
Agent job 1 ft Display name * 
_ ~ Scan laC templates using Qualys CloudView 
© SENS ETE AES UE CEN PEON RY o} laC Scan service/server endpoint* @ | Manage & 
© Some settings need attention Ed 


Launch Scan API Parameters ^ 


After entering the display name, you need to provide the IaC scan service endpoint to connect to 
CloudView APIs. You can use the preconfigured IaC scan service endpoint or configure a new 
service endpoint. 


To configure a new service endpoint, go to the IaC Scan service/server endpoint field and click 
New. 
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New service connection 


Qualys Platform URL: 


https://qualysguard.qualys.com 
(Qualys Platform URL link to connect - Example: herps//qualysguard qualys com 
Authentication 


Password 


© Use Proxy (optional) 
Select the checkbox to use the proxy 


Proxy Server (optional) 


Enter the prowy UAL - Gaamples: 10.15201.155, comp proryzerver company.com 


Proxy Port (optional) 


peremo o ooo 


Enter the proxy pot 


Proxy Username (optional) 


PS — 


Emer the proxy username 


Proxy Password (optional) 


Enter the proxy password 
Details 


Service connection name 
USPOD-1 Service Connection 


Description (optional) 


Security 


© Grant access permission to all pipelines 


Leam more | save | 
Troubleshoot 


In the New service connection screen, enter the Qualys platform URL, Username, and 
Password. Provide a Service connection name and click Save. Once added, the service endpoint 
is listed in the IaC Scan service/server endpoint drop-down field. 


Note: The Qualys platform URL that you use here depends on the Qualys platform your 
organization is using. To identify the platform URL, refer to Identify your Qualys platform. 


If your Azure DevOps instance does not have direct Internet access and requires a proxy, click 
the Use Proxy check box, and enter the proxy server information. 
Launch Scan API Parameters 


In the Launch Scan API Parameters, provide a scan name and file path or directory that you 
want to scan. 


Launch Scan API Parameters ^ 


Scan Name (@ 


$(DefinitionName)_azureDevOps_$(ID) 


Compressed File path/Directory to be scanned on (optional) Ç) 


inputs_tf_files/whitelisted_files/ 


The Scan Name is populated automatically. By default, the scan name is 
$(DefinitionName) azureDevOps $ (ID). However, you can update the scan name. 
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Enter the file name or directory path to be scanned. If you do not specify the path, the entire 
repository is scanned. 


Note: By default,.tf, .yaml,.yml, . json, and .template files in the directory are scanned. If 
you want to scan any compressed file, add the path and name of the compressed file. For 
example, .zip, .7z, .tar, .tar.gz, and .gz. 


Build Failure Conditions 
Configure the criteria to fail a build job based on the number of controls that failed for each 
severity. 

Build Failure Conditions ^ 


@ fail if the count of ‘Critical’ failed controls is more than @ 


Enter Count * © 


2 


@ fail if the count of ‘High’ failed controls is more than © 


Enter Count * © 


3 


@ Fail if the count of 'Medium' failed controls is more than © 


Enter Count * @ 


1 
@ fail if the count of ‘Low’ failed controls is more than © 


Enter Count * © 


2 


The build fails if the number of failed controls exceed the specified number for one or more 
severity types in scan results. 
Timeout Settings 


In the Timeout settings, specify the polling frequency in seconds for collecting the IaC scan 
result data. By default, it is set to 30 seconds. 


Note: We recommend you to set this value to minimum 10 seconds. 


You can also specify the timeout duration for a running scan. By default, it is set to 10 minutes. 


Timeout Settings ^ 
How often to check for data (in seconds) © 
| 30 


How long to wait for scan results (in minutes) () 


| 10 


Save the configuration and click Queue to run the pipeline. 
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Qualys laC Scan Result 


After the scan is complete, the Summary tab displays the details of the scan, such as the git 
repository that is scanned, errors (failures), scan time, and job details. 


Summary Qualys laC Scan Result 


Manually run by © i “ms View change 
Repository and version Time started and elapsed Related Tests and coverage 
Ojmguitemnl/GithubAction E Today at 2:34 PM Ê 0 work items A Get started 

F main © e2d5aa90 © 53s 531 published: 1 consumed 

Errors 1 


@ 2alys lac Security Failed due to the following reasons:- terraform checkType - Failed High controls count exceeded ,terraform checkType - Failed Medium controls count exceeded .terraform checkType - Failed Low controls count exceeded ... 


Scan laC templates using Qualys CloudView 


Troubleshooting failed runs 


Jobs 
Name Status Duration 
© Agentjob1 Failed © 47s 


To view the detailed IaC scan results, go to Qualys IaC Scan Result tab. The tab shows graphical 
data of cloud misconfigurations by criticality, number of controls causing build failure, and 
Pass/Fail Criteria Results Summary. 


Summary Qualys laC Scan Result 


O one a 


laC Scan Status: FINISHED Scan ID: efb67576-039b-4cbe-802c-94e527910ead 
Build Summary Git Repo Name: jmystiemms!/GithubAction Branch Name: main 
Scan Name: ADCLI-DEMO_azureDevOps_27 Source: GitHub 
laC Posture 
Cloud Misconfigurations (42) Controls causing Build Failure 
Remediation 


= Critical (0) 
Ml High (29) 


mm Medium (9) 
cum Low (4 of 42 


(Failed) 


Pass/Fail Criteria Results Summary 


Critical High Medium Low 


Criteria Evaluation Ÿ x x x 


XViolates criteria /Satisfies criteria = Not Configured 


The Pass/Fail Criteria Result Summary shows the pass/fail criteria and whether they are violated 
or satisfied. When a criterion is violated, the X icon is shown while for the satisfied criteria, the 
“icon is shown. 


Move the mouse over the X and Y icons to view the value that you have configured for the 
criteria, and the actual value obtained after the scan. 


The IaC Posture section displays the details of cloud misconfigurations, such as control IDs, 
name, criticality, result, file path, and resource. 
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Summary Qualys laC Scan Result 


© Qualys. | Tenwaronm | CLOUDFOR... 


Qualys CloudView IaC Posture 


Build Summary 
laC Posture Show|10_ +] entries Show Only: criticality [Al v = 
Remediation 
Controlid Control Name Criticality Result File Path Resource 
Ensure no security groups allow P 
41 ingress from 0.0.0.000 to port 22 HIGH FAILED  /security-group.tf aws_security_group.project1-sq 
Ensure no security groups allow is 
42 ingress from 0.0.0.010 to port 3389 HIGH PASSED _ /security-group.tf aws_security_group.project1-so 
Ensure all data stored in the Launch 
286 configuration EBS is securely HIGH FAILED  /inputs_tf_files/main.tf aws_instance.app_server 
encrypted 
Ensure all data stored in the Launch 
286 configuration EBS is securely HIGH FAILED _/inputs_tf_files/whitelisted_files/main.tf aws_instance.app_server 
encrypted 
Ensure all data stored in the Launch 
286 configuration EBS is securely HIGH FAILED /maintf aws_instance.app_server 
encrypted 
Ensure every security groups rule has L 
289 a description Low FAILED —_/security-group tf aws_security_group.projectt-sg s 


The Remediation section displays the control IDs and associated remediation. 


Summary Qualys laC Scan Result 


O own a 


Remediation 

Build Summary Show[10_¥] entries = 
laC Posture 

Control Id Remediation 
Remediation 

4 Ensure aws_security_group or aws_security_group_rule resource does not have ingress cidr_blocks argument set to 0.0.0 0/0 

42 Ensure aws_security_group or aws_security_group_rule resource does not have ingress cidr_blocks argument set to 0.0.0.0/0 

236 Ensure aws_instance resource or aws_launch_configuration has encrypted argument set to True for the root_block_device 

286 Ensure aws_instance resource or aws_launch_configuration has encrypted argument set to True for the root_block_device 

286 Ensure aws_instance resource or aws_launch_configuration has encrypted argument set to True for the root_block_device 

280 Ensure aws_security_group or aws_security_group_rule resource or aws_db_security_group or aws_elasticache_security_group or aws_redshift_security_group has description argument configured for the 

egress and the ingress objects 

301 Remove hard-coded secrets added to user data of EC2 Launch configurations 

301 Remove hard-coded secrets added to user data of EC2 Launch configurations 

301 Remove hard-coded secrets added to user data of EC2 Launch configurations 

320 Ensure aws_athena_database resource has arguments encryption_option and kms_key configured for the encryption_configuration object + 


You can download the published artifact file which has all the scan details in the JSON file 
format. 


ADCLI Azure_DevOps_Extension Pipelines Pipeline-GithubAction-Repo 415 Published artifacts 


< Artifacts 


Published Consumed 


Name Size 
v E Qualys_IAC_Extension_Artifacts 74 KB 
D Qualys_laC_Scan_result_415.json 74KB 


What's New 


Improvements in 1.1.0 
We have added Qualys IaC Scan Result tab to the Summary that shows the IaC scan results. You 


can also view the IaC scan results for the jobs that were run before the extension upgrade to 
version 1.1.0. 
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